aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* plugin-loader: Move logging of failed features to status()Tobias Brunner2013-06-211-7/+11
| | | | | | | | | Still log an error message if critical features fail, as loaded plugins/features are not logged in that case. This way loaded plugins are printed before failed features and the relation is easier to make for users. It also allows programs to log this message on a different level.
* plugin-loader: Add method to print loaded plugins on a given log levelTobias Brunner2013-06-2110-4/+26
|
* plugin-loader: Collect statistics while loading features, print them in case ↵Tobias Brunner2013-06-211-69/+40
| | | | | | | features failed to load There is no need to explicitly search for failed features in critical plugins as this is now detected while loading the features.
* plugin-loader: Use different log level if failed feature is in critical pluginTobias Brunner2013-06-211-2/+16
|
* plugin-loader: Log message when failing to load pluginTobias Brunner2013-06-211-0/+8
|
* plugin-loader: Reduce verbosity while loading pluginsTobias Brunner2013-06-211-4/+4
|
* Fix crash if the initiator has no suitable proposal availableTobias Brunner2013-06-211-0/+5
| | | | Could be triggered with a typo in the ike or esp options when ! is used.
* Merge branch 'unit-tests-ecdsa'Martin Willi2013-06-2117-160/+866
|\ | | | | | | | | | | Adds support for testing plugin functionality to test-runner. Introduces some good/bad tests for ECDSA/RSA which would have caught those RSA/ECDSA signature vulnerabilities.
| * leak-detective: (re-)whitelist some OpenSSL functionsMartin Willi2013-06-211-0/+5
| | | | | | | | | | | | | | Some static allocations in plugins won't get freed, because in the test case process the plugins are not destroyed. If a plugin would clean up allocations done while just using the plugin, these show up as leak in the child process, letting tests fail.
| * unit-tests: load plugins in test-runner from build directoryMartin Willi2013-06-212-1/+30
| |
| * unit-tests: link test-runner against -lpthreadMartin Willi2013-06-211-0/+1
| |
| * unit-tester: remove obsolete rsa_gen test, now covered in unit-testsMartin Willi2013-06-213-122/+0
| |
| * unit-tests: add RSA test cases, very similar to ECDSAMartin Willi2013-06-214-1/+400
| |
| * unit-tests: test with /dev/urandom if random plugin is in useMartin Willi2013-06-211-0/+6
| |
| * unit-tests: test supported ECDSA schemes onlyMartin Willi2013-06-211-0/+14
| |
| * Move test-runners has_feature() function to plugin loaderMartin Willi2013-06-213-32/+40
| |
| * unit-tests: enforce CET/CEST timezone to properly test non-UTC time formattingMartin Willi2013-06-211-0/+6
| |
| * unit-tests: don't use ck_assert() to test a cleared chunk, as it allocates dataMartin Willi2013-06-211-3/+10
| | | | | | | | The new allocation might be in the freed area, affecting the test result.
| * unit-tests: define 64-bit constats with ULL, fixing compiler warning on 32-bitMartin Willi2013-06-211-2/+2
| |
| * Limit cleanup of .gc{no,da} files to src and scripts subfoldersMartin Willi2013-06-211-2/+2
| | | | | | | | | | Other folders in the build tree might not be related to the strongSwan tree, or are not even accessible.
| * unit-tests: test some zeroed ECDSA signatures that never should succeedMartin Willi2013-06-211-0/+63
| |
| * unit-tests: perform signing/validation with keys ECDSA keys generated or loadedMartin Willi2013-06-211-0/+47
| |
| * unit-tests: add an ECDSA test case loading keysMartin Willi2013-06-211-0/+61
| |
| * unit-tests: perform a first ECDSA test case if ECDSA is supportedMartin Willi2013-06-214-1/+58
| |
| * unit-tests: add a helper function checking if a plugin feature is availableMartin Willi2013-06-211-0/+32
| |
| * unit-tests: add a test case checking if all test vectors have been passedMartin Willi2013-06-214-1/+44
| |
| * crypto-factory: count the number of test vector failures during registrationMartin Willi2013-06-212-30/+73
| |
| * unit-tests: load all libstrongswan plugins in test-runnerMartin Willi2013-06-212-0/+7
|/
* stroke: Add statusall-nb as alias for statusallnbTobias Brunner2013-06-212-1/+2
|
* stroke: Add non-blocking versions of up and downTobias Brunner2013-06-213-5/+23
| | | | | | stroke up-nb and stroke down-nb do not block until the command has finished. Instead, they return right after initiating the respective operation.
* starter: Make ipsec.conf path configurable via command lineTobias Brunner2013-06-211-3/+14
|
* pubkey: Improve comparison of raw public key certificate objectsTobias Brunner2013-06-211-1/+11
|
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* charon-cmd: use a copy of pid in initiate callbackMartin Willi2013-06-201-6/+7
| | | | | When cancelling a connection that gets established, cmd_connection_t gets freed before terminate() is called. This results in kill()ing invalid PID.
* charon-cmd: add IKEv1 aggressive mode profilesMartin Willi2013-06-203-10/+35
|
* NEWS: Add first bunch of 5.1.0 highlightsMartin Willi2013-06-201-0/+19
|
* Merge branch 'nat-transport'Martin Willi2013-06-194-60/+306
|\ | | | | | | | | | | Enable transport mode in NAT situations when using IKEv2. Additionally brings an extended leftsubnet format, where each subnet can take a separate protocol and port.
| * man: update ipsec.conf.5, describing new proto/port definition within leftsubnetMartin Willi2013-06-191-24/+34
| |
| * stroke: support %dynamic in left/rightsubnet for dynamic selectorsMartin Willi2013-06-191-2/+10
| | | | | | | | | | | | | | This has the same meaning as omitting left/rightsubnet, i.e. replace it by the IKE address. Supporting %dynamic allows configurations with multiple dynamic selectors in a left/rightsubnet, each with potentially different proto/port selectors.
| * kernel-netlink: install selectors on SA for transport/BEET mode without ↵Martin Willi2013-06-191-0/+6
| | | | | | | | | | | | | | | | proto/port If a transport/BEET SA has different selectors for different proto/ports, installing just the proto/port of the first SA would break any additional selector.
| * stroke: support a specific proto/port for each net defined in left/rightsubnetMartin Willi2013-06-191-3/+105
| |
| * ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
| |
| * ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|/
* Merge branch 'consistent-reqid'Martin Willi2013-06-194-9/+62
|\ | | | | | | | | | | | | | | | | | | Checks if a trap policy exists when installing a CHILD_SA as responder, reuse that reqid and keeping the trap untouched. This makes auto=route on both sides more reliable. In addition, we no prevent to refcount an existing policy if the reqid differs; this should not happen anymore. We now can properly reject new CHILD_SAs in such conflicts, instead of silently breaking an existing policy.
| * ike: reuse the reqid of an installed trap having the same configMartin Willi2013-06-191-1/+5
| | | | | | | | | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend.
| * trap-manager: add a method to find reqid for installed traps by configMartin Willi2013-06-192-2/+38
| |
| * trap-manager: don't check-in nonexisting IKE_SA if acquire failsMartin Willi2013-06-191-2/+1
| |
| * trap-manager: fix a memleak when installing a trap to %anyMartin Willi2013-06-191-0/+1
| |
| * kernel-netlink: reject policy refcount if the reqid differsMartin Willi2013-06-191-4/+17
|/ | | | | | | | | | | | | Previously we silently replaced an existing policy with a new one if the reqid changed for the same selectors. This will break an old policy in the favour of the new one (for example if two clients behind the same NAT use transport mode). With this change any new policy gets rejected if the reqid differs. This will make sure we break no existing policy. For rekeying and acquires we still can have overlapping policies (as we use the same reqid), but for unrelated connections this is not true anymore (it wasn't actually before, we just silently broke the existing policy).
* stroke: add exportconn{cert,chain} commands in addition to exportx509Martin Willi2013-06-195-7/+80
| | | | | The new commands either export a single end entity certificate or the full trust chain for a specific connection name.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 16:17:16 +0000